Web3 developers have been working around the clock since Thirdweb reported a security vulnerability in pre-built smart contracts from a popular public library.
As the vulnerability affects some of the most common types of smart contract used by the industry, such as Ethereum ERC-721 and ERC-1155, it poses a significant risk to hundreds of projects.
Yet, the prominent Web3 developers' toolkit platform waited two weeks to make the matter known, explaining that it was "critical to have a robust mitigation plan in place before making a public announcement."
Discovered on November 20, the vulnerability was fixed two days later on Thirdweb's new smart contract templates, but the matter was only made public earlier this week on December 4.
During that time, the company contacted the open-source library containing the vulnerable code, worked with several ecosystems and platforms to find a way to protect its users, and built a mitigation tool so developers could detect the issue.
The tool made available by Thirdweb has, "helped successfully mitigate over 8,000 smart contracts across 43 chains," in the 48 hours following its announcement.
Thirdweb has also been extremely cautious in communicating the matter to the outside world, avoiding revealing any details that malicious actors could use to exploit the vulnerability, such as the public library at fault or precise instructions on how to fix the code.
This caution has caused anxiety in some users and companies who are trying to figure out if they have been affected and how best to protect themselves. Sean Bonner, an NFT creator impacted by the situation, said, "It would have been nice if the announcement also included the fix instead of just launching everyone into the unknown."
Distress, however, has been minimized by the Web3 community's proactive and all-encompassing response. While developer teams were quickly put to work to solve the problem, NFT marketplaces, public libraries, and other decentralized platforms warned their users about what was happening and efforts to solve the issue.
The successful deployment of Thirdweb's mitigation strategy has allowed it to contain the number of exploits using the vulnerability since it became public to just two.
Despite the community's best efforts, the issue is a time bomb. As the hours advance, the higher the chance for hackers to find and exploit the vulnerability, leading Thirdweb to reiterate its warning: "If you are a smart contract owner who has not yet used our mitigation tool, it is still critical you do so."